[RFC,1/3] glibc: Perform rseq(2) registration at C startup and thread creation (v18)

Register rseq(2) TLS for each thread (including main), and unregister
for each thread (excluding main). "rseq" stands for Restartable
Sequences.

See the rseq(2) man page proposed here:
  https://lkml.org/lkml/2018/9/19/647

those are based on glibc master branch commit a9bfa4353cd39ae2eae3c111844a32f9d3abbc19.
The rseq(2) system call was merged into Linux 4.18.

This patch depends on "elf: Add initial flag argument to __libc_early_init"
from Florian Weimer.

CC: Carlos O'Donell <carlos@redhat.com>
CC: Florian Weimer <fweimer@redhat.com>
CC: Joseph Myers <joseph@codesourcery.com>
CC: Szabolcs Nagy <szabolcs.nagy@arm.com>
CC: Thomas Gleixner <tglx@linutronix.de>
CC: Ben Maurer <bmaurer@fb.com>
CC: Peter Zijlstra <peterz@infradead.org>
CC: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
CC: Boqun Feng <boqun.feng@gmail.com>
CC: Will Deacon <will.deacon@arm.com>
CC: Dave Watson <davejwatson@fb.com>
CC: Paul Turner <pjt@google.com>
CC: Rich Felker <dalias@libc.org>
CC: libc-alpha@sourceware.org
CC: linux-kernel@vger.kernel.org
CC: linux-api@vger.kernel.org
---
Changes since v1:
- Move __rseq_refcount to an extra field at the end of __rseq_abi to
  eliminate one symbol.

  All libraries/programs which try to register rseq (glibc,
  early-adopter applications, early-adopter libraries) should use the
  rseq refcount. It becomes part of the ABI within a user-space
  process, but it's not part of the ABI shared with the kernel per se.

- Restructure how this code is organized so glibc keeps building on
  non-Linux targets.

- Use non-weak symbol for __rseq_abi.

- Move rseq registration/unregistration implementation into its own
  nptl/rseq.c compile unit.

- Move __rseq_abi symbol under GLIBC_2.29.

Changes since v2:
- Move __rseq_refcount to its own symbol, which is less ugly than
  trying to play tricks with the rseq uapi.
- Move __rseq_abi from nptl to csu (C start up), so it can be used
  across glibc, including memory allocator and sched_getcpu(). The
  __rseq_refcount symbol is kept in nptl, because there is no reason
  to use it elsewhere in glibc.

Changes since v3:
- Set __rseq_refcount TLS to 1 on register/set to 0 on unregister
  because glibc is the first/last user.
- Unconditionally register/unregister rseq at thread start/exit, because
  glibc is the first/last user.
- Add missing abilist items.
- Rebase on glibc master commit a502c5294.
- Add NEWS entry.

Changes since v4:
- Do not use "weak" symbols for __rseq_abi and __rseq_refcount. Based on
  "System V Application Binary Interface", weak only affects the link
  editor, not the dynamic linker.
- Install a new sys/rseq.h system header on Linux, which contains the
  RSEQ_SIG definition, __rseq_abi declaration and __rseq_refcount
  declaration. Move those definition/declarations from rseq-internal.h
  to the installed sys/rseq.h header.
- Considering that rseq is only available on Linux, move csu/rseq.c to
  sysdeps/unix/sysv/linux/rseq-sym.c.
- Move __rseq_refcount from nptl/rseq.c to
  sysdeps/unix/sysv/linux/rseq-sym.c, so it is only defined on Linux.
- Move both ABI definitions for __rseq_abi and __rseq_refcount to
  sysdeps/unix/sysv/linux/Versions, so they only appear on Linux.
- Document __rseq_abi and __rseq_refcount volatile.
- Document the RSEQ_SIG signature define.
- Move registration functions from rseq.c to rseq-internal.h static
  inline functions. Introduce empty stubs in misc/rseq-internal.h,
  which can be overridden by architecture code in
  sysdeps/unix/sysv/linux/rseq-internal.h.
- Rename __rseq_register_current_thread and __rseq_unregister_current_thread
  to rseq_register_current_thread and rseq_unregister_current_thread,
  now that those are only visible as internal static inline functions.
- Invoke rseq_register_current_thread() from libc-start.c LIBC_START_MAIN
  rather than nptl init, so applications not linked against
  libpthread.so have rseq registered for their main() thread. Note that
  it is invoked separately for SHARED and !SHARED builds.

Changes since v5:
- Replace __rseq_refcount by __rseq_lib_abi, which contains two
  uint32_t: register_state and refcount. The "register_state" field
  allows inhibiting rseq registration from signal handlers nested on top
  of glibc registration and occuring after rseq unregistration by glibc.
- Introduce enum rseq_register_state, which contains the states allowed
  for the struct rseq_lib_abi register_state field.

Changes since v6:
- Introduce bits/rseq.h to define RSEQ_SIG for each architecture.
  The generic bits/rseq.h does not define RSEQ_SIG, meaning that each
  architecture implementing rseq needs to implement bits/rseq.h.
- Rename enum item RSEQ_REGISTER_NESTED to RSEQ_REGISTER_ONGOING.
- Port to glibc-2.29.

Changes since v7:
- Remove __rseq_lib_abi symbol, including refcount and register_state
  fields.
- Remove reference counting and nested signals handling from
  registration/unregistration functions.
- Introduce new __rseq_handled exported symbol, which is set to 1
  by glibc on C startup when it handles restartable sequences.
  This allows glibc to coexist with early adopter libraries and
  applications wishing to register restartable sequences when it
  is not handled by glibc.
- Introduce rseq_init (), which sets __rseq_handled to 1 from
  C startup.
- Update NEWS entry.
- Update comments at the beginning of new files.
- Registration depends on both __NR_rseq and RSEQ_SIG.
- Remove ARM, powerpc, MIPS RSEQ_SIG until we agree with maintainers
  on the signature choice.
- Update x86, s390 RSEQ_SIG based on discussion with arch maintainers.
- Remove rseq-internal.h from headers list of misc/Makefile, so it
  it not installed by make install.

Changes since v8:
- Introduce RSEQ_SIG_CODE and RSEQ_SIG_DATA on aarch64 to handle
  compiling with -mbig-endian.

Changes since v9:
- Update Changelog.
- Remove unneeded new file comment header newlines.

Changes since v10:
- Remove volatile from __rseq_abi declaration.
- Document that __rseq_handled is about library managing rseq
  registration, independently of whether rseq is available or not.
- Move __rseq_handled symbol to ld.so, initialize this symbol within
  the dynamic linker initialization for both shared (rtld.c) and static
  (dl-support.c) builds.
- Only register the rseq TLS on initialization once in multiple-libc
  scenarios. Use rtld_active () for this purpose.
- In the static libc case, register the rseq TLS after LD_PRELOAD
  constructors are run, so it matches the order of this initialization
  vs LD_PRELOAD contructors execution for the shared libc.
- Agreed on signature choice with powerpc and MIPS maintainers,
  re-adding those signatures,
- The main architecture still left out signature-wise is ARM32.

Changes since v11:
- Rebase on glibc 2.30.
- Re-introduce ARM RSEQ_SIG following feedback from Will Deacon.

Changes since v12:
- Remove __rseq_handled,
- Rely on OS implicit rseq unregistration on thread teardown,
- Register main thread in __libc_early_init ().
- Add Restartable Sequences entry to threads manual.

Changes since v13:
- Update following be/le abilist split for arm, microblaze, and sh.
- Update manual to add the __rseq_abi variable and RSEQ_SIG macro to
  generate manual index entries, and add missing "Restartable Sequences"
  menu entry to the threads chapter.

Changes since v14:
- Update copyright range to include 2020.
- Introduce __ASSUME_RSEQ defined for --enable-kernel=4.18.0 and higher.
- Use ifdef __ASSUME_RSEQ rather than ifdef __NR_rseq to discover rseq
  availability. This is necessary now that the system call numbers are
  integrated within glibc.

Changes since v15:
- Remove __ASSUME_RSEQ from kernel features.
- rseq internal: remove assume rseq
- remove assume rseq and struct rseq def from sysdeps/unix/sysv/linux/rseq-sym.c
- sys/rseq.h: detect rseq header, implement fallback
- sysdeps/unix/sysv/linux/sys/rseq.h include cdefs.h, add _Static_assert
  to validate struct rseq and struct rseq_cs alignment.
- sys/rseq.h: document that posix_memalign should be used rather than
  malloc if allocating struct rseq or struct rseq_cs on the heap. This
  is required to guarantee 32-byte alignement.

Changes since v16:
- Move rseq NEWS entry under 2.32.
- Move new __rseq_abi symbol to GLIBC_2.32.

Changes since v17:
- Change copyright year to 2020.
- Refer to GNU C Library manual rather than rseq manpage in NEWS.
- Use "initial" parameter from __libc_early_init ().
- Manual: rseq is Linux rather than GNU std.
- Remove rseq_unregister_current_thread () (unused).
- rseq_register_current_thread () returns void.
- Coding style fixes.
- sys/rseq.h: use "32" for alignment.
- Change http:// for https:// in comments.
- Add const struct rseq_cs * field to rseq_cs union.

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
CC: Carlos O'Donell <carlos@redhat.com>
CC: Florian Weimer <fweimer@redhat.com>
CC: Joseph Myers <joseph@codesourcery.com>
CC: Szabolcs Nagy <szabolcs.nagy@arm.com>
CC: Thomas Gleixner <tglx@linutronix.de>
CC: Ben Maurer <bmaurer@fb.com>
CC: Peter Zijlstra <peterz@infradead.org>
CC: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
CC: Boqun Feng <boqun.feng@gmail.com>
CC: Will Deacon <will.deacon@arm.com>
CC: Paul Turner <pjt@google.com>
CC: Rich Felker <dalias@libc.org>
CC: libc-alpha@sourceware.org
CC: linux-kernel@vger.kernel.org
CC: linux-api@vger.kernel.org
---
 NEWS                                          |  10 +
 elf/libc_early_init.c                         |   4 +
 manual/threads.texi                           |  30 ++-
 misc/rseq-internal.h                          |  26 +++
 nptl/pthread_create.c                         |  13 ++
 sysdeps/unix/sysv/linux/Makefile              |   5 +-
 sysdeps/unix/sysv/linux/Versions              |   1 +
 sysdeps/unix/sysv/linux/aarch64/bits/rseq.h   |  43 ++++
 sysdeps/unix/sysv/linux/aarch64/libc.abilist  |   1 +
 sysdeps/unix/sysv/linux/alpha/libc.abilist    |   1 +
 sysdeps/unix/sysv/linux/arm/be/libc.abilist   |   1 +
 sysdeps/unix/sysv/linux/arm/bits/rseq.h       |  83 +++++++
 sysdeps/unix/sysv/linux/arm/le/libc.abilist   |   1 +
 sysdeps/unix/sysv/linux/bits/rseq.h           |  29 +++
 sysdeps/unix/sysv/linux/csky/libc.abilist     |   1 +
 sysdeps/unix/sysv/linux/hppa/libc.abilist     |   1 +
 sysdeps/unix/sysv/linux/i386/libc.abilist     |   1 +
 sysdeps/unix/sysv/linux/ia64/libc.abilist     |   1 +
 .../sysv/linux/m68k/coldfire/libc.abilist     |   1 +
 .../unix/sysv/linux/m68k/m680x0/libc.abilist  |   1 +
 .../sysv/linux/microblaze/be/libc.abilist     |   1 +
 .../sysv/linux/microblaze/le/libc.abilist     |   1 +
 sysdeps/unix/sysv/linux/mips/bits/rseq.h      |  62 ++++++
 .../sysv/linux/mips/mips32/fpu/libc.abilist   |   1 +
 .../sysv/linux/mips/mips32/nofpu/libc.abilist |   1 +
 .../sysv/linux/mips/mips64/n32/libc.abilist   |   1 +
 .../sysv/linux/mips/mips64/n64/libc.abilist   |   1 +
 sysdeps/unix/sysv/linux/nios2/libc.abilist    |   1 +
 sysdeps/unix/sysv/linux/powerpc/bits/rseq.h   |  37 ++++
 .../linux/powerpc/powerpc32/fpu/libc.abilist  |   1 +
 .../powerpc/powerpc32/nofpu/libc.abilist      |   1 +
 .../linux/powerpc/powerpc64/be/libc.abilist   |   1 +
 .../linux/powerpc/powerpc64/le/libc.abilist   |   1 +
 .../unix/sysv/linux/riscv/rv64/libc.abilist   |   1 +
 sysdeps/unix/sysv/linux/rseq-internal.h       |  47 ++++
 sysdeps/unix/sysv/linux/rseq-sym.c            |  26 +++
 sysdeps/unix/sysv/linux/s390/bits/rseq.h      |  37 ++++
 .../unix/sysv/linux/s390/s390-32/libc.abilist |   1 +
 .../unix/sysv/linux/s390/s390-64/libc.abilist |   1 +
 sysdeps/unix/sysv/linux/sh/be/libc.abilist    |   1 +
 sysdeps/unix/sysv/linux/sh/le/libc.abilist    |   1 +
 .../sysv/linux/sparc/sparc32/libc.abilist     |   1 +
 .../sysv/linux/sparc/sparc64/libc.abilist     |   1 +
 sysdeps/unix/sysv/linux/sys/rseq.h            | 207 ++++++++++++++++++
 sysdeps/unix/sysv/linux/x86/bits/rseq.h       |  30 +++
 .../unix/sysv/linux/x86_64/64/libc.abilist    |   1 +
 .../unix/sysv/linux/x86_64/x32/libc.abilist   |   1 +
 47 files changed, 716 insertions(+), 4 deletions(-)
 create mode 100644 misc/rseq-internal.h
 create mode 100644 sysdeps/unix/sysv/linux/aarch64/bits/rseq.h
 create mode 100644 sysdeps/unix/sysv/linux/arm/bits/rseq.h
 create mode 100644 sysdeps/unix/sysv/linux/bits/rseq.h
 create mode 100644 sysdeps/unix/sysv/linux/mips/bits/rseq.h
 create mode 100644 sysdeps/unix/sysv/linux/powerpc/bits/rseq.h
 create mode 100644 sysdeps/unix/sysv/linux/rseq-internal.h
 create mode 100644 sysdeps/unix/sysv/linux/rseq-sym.c
 create mode 100644 sysdeps/unix/sysv/linux/s390/bits/rseq.h
 create mode 100644 sysdeps/unix/sysv/linux/sys/rseq.h
 create mode 100644 sysdeps/unix/sysv/linux/x86/bits/rseq.h

* Mathieu Desnoyers:

> diff --git a/NEWS b/NEWS
> index 0e627b3405..0b85a02c12 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -18,6 +18,16 @@ Major new features:
>  * The GNU C Library now loads audit modules listed in the DT_AUDIT and
>    DT_DEPAUDIT dynamic section entries of the main executable.
>  
> +* Support for automatically registering threads with the Linux rseq(2)
> +  system call has been added.  This system call is implemented starting
> +  from Linux 4.18.  The Restartable Sequences ABI accelerates user-space
> +  operations on per-cpu data.  It allows user-space to perform updates
> +  on per-cpu data without requiring heavy-weight atomic operations.
> +  Automatically registering threads allows all libraries, including libc,
> +  to make immediate use of the rseq(2) support by using the documented ABI.
> +  The GNU C Library manual has details on integration of Restartable
> +  Sequences.

GNU style doesn't use (2) here, I think.

> diff --git a/manual/threads.texi b/manual/threads.texi
> index 0858ef8f92..4754cdaeb5 100644
> --- a/manual/threads.texi
> +++ b/manual/threads.texi

> @@ -881,3 +883,27 @@ Behaves like @code{pthread_timedjoin_np} except that the absolute time in
>  @c pthread_spin_unlock
>  @c pthread_testcancel
>  @c pthread_yield
> +
> +@node Restartable Sequences
> +@section Restartable Sequences
> +@cindex rseq

Suggest: @cindex Restartable Sequences

> +
> +This section describes @theglibc{} Restartable Sequences integration.

Suggest: This section describes Restartable Sequences integration for
@theglibc{}.  (Avoids an excessively long noun phrase.)

Maybe mention which uses of the rseq syscall are permitted behind the
back of glibc?  And that code should not leave dangling rseq cs pointers
behind (the dlopen interaction)?

> +@deftypevar {struct rseq} __rseq_abi
> +@standards{Linux, sys/rseq.h}
> +@Theglibc{} implements a @code{__rseq_abi} TLS symbol to interact with the
> +Restartable Sequences system call (Linux-specific).  The layout of this
> +structure is defined by the Linux kernel @file{linux/rseq.h} UAPI.

The linux/rseq.h reference seems redundant, given that sys/rseq.h covers
it as well.

> +Registration of each thread's @code{__rseq_abi} is performed by
> +@theglibc{} at libc initialization and pthread creation.

Suggest: library initialization and thread creation

> +@end deftypevar
> +
> +@deftypevr Macro int RSEQ_SIG
> +@standards{Linux, sys/rseq.h}
> +Each supported architecture provide a @code{RSEQ_SIG} macro in

Typo: provides

> +@file{sys/rseq.h} which contains a signature.  That signature is expected to be
> +present in the code before each Restartable Sequences abort handler.  Failure
> +to provide the expected signature may terminate the process with a Segmentation
> +fault.

Suggest: segmentation fault (no capitalization)

> diff --git a/misc/rseq-internal.h b/misc/rseq-internal.h
> new file mode 100644
> index 0000000000..16f197397f
> --- /dev/null
> +++ b/misc/rseq-internal.h

Maybe this should go in to sysdeps/generic instead of misc?
(See the recent discussion about elf_machine_sym_no_match.)

> diff --git a/sysdeps/unix/sysv/linux/rseq-internal.h b/sysdeps/unix/sysv/linux/rseq-internal.h
> new file mode 100644
> index 0000000000..3ecd4d0611
> --- /dev/null
> +++ b/sysdeps/unix/sysv/linux/rseq-internal.h
> @@ -0,0 +1,47 @@
> +/* Restartable Sequences internal API.  Linux implementation.
> +   Copyright (C) 2020 Free Software Foundation, Inc.
> +
> +   The GNU C Library is free software; you can redistribute it and/or
> +   modify it under the terms of the GNU Lesser General Public
> +   License as published by the Free Software Foundation; either
> +   version 2.1 of the License, or (at your option) any later version.
> +
> +   The GNU C Library is distributed in the hope that it will be useful,
> +   but WITHOUT ANY WARRANTY; without even the implied warranty of
> +   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> +   Lesser General Public License for more details.
> +
> +   You should have received a copy of the GNU Lesser General Public
> +   License along with the GNU C Library; if not, see
> +   <https://www.gnu.org/licenses/>.  */
> +
> +#ifndef RSEQ_INTERNAL_H
> +#define RSEQ_INTERNAL_H
> +
> +#include <sysdep.h>
> +#include <errno.h>
> +#include <kernel-features.h>
> +#include <sys/rseq.h>
> +
> +#ifdef RSEQ_SIG
> +static inline void
> +rseq_register_current_thread (void)
> +{
> +  int ret;
> +
> +  if (__rseq_abi.cpu_id == RSEQ_CPU_ID_REGISTRATION_FAILED)
> +    return;
> +  ret = INTERNAL_SYSCALL_CALL (rseq, &__rseq_abi, sizeof (struct rseq),
> +                              0, RSEQ_SIG);
> +  if (INTERNAL_SYSCALL_ERROR_P (ret) &&
> +      INTERNAL_SYSCALL_ERRNO (ret) != EBUSY)
> +    __rseq_abi.cpu_id = RSEQ_CPU_ID_REGISTRATION_FAILED;

Sorry, I forgot: Please add a comment that the EBUSY error is ignored
because registration may have already happened in a legacy library.

> diff --git a/sysdeps/unix/sysv/linux/sys/rseq.h b/sysdeps/unix/sysv/linux/sys/rseq.h
> new file mode 100644
> index 0000000000..de6600ff45
> --- /dev/null
> +++ b/sysdeps/unix/sysv/linux/sys/rseq.h

> +#ifdef __GLIBC_HAVE_KERNEL_RSEQ
> +/* We use the structures declarations from the kernel headers.  */
> +# include <linux/rseq.h>
> +#else
> +/* We use a copy of the include/uapi/linux/rseq.h kernel header.  */
> +
> +#include <asm/byteorder.h>

Missing “# include“ indentation.

> +#ifdef __LP64__

Likewise (more indentation needed below, include double-space
indentation).

> +/* Allocations of struct rseq and struct rseq_cs on the heap need to
> +   be aligned on 32 bytes.  Therefore, use of malloc is discouraged
> +   because it does not guarantee alignment.  posix_memalign should be
> +   used instead.  */
> +
> +extern __thread struct rseq __rseq_abi
> +__attribute__ ((tls_model ("initial-exec")));

Please indent the __attribute__ with two spaces.

Actual code looks good now.  Thanks.  I don't think there are any
remaining issues except maybe more documentation.

Florian

----- On Apr 30, 2020, at 8:20 AM, Florian Weimer fweimer@redhat.com wrote:

> * Mathieu Desnoyers:
> 
>> diff --git a/NEWS b/NEWS
>> index 0e627b3405..0b85a02c12 100644
>> --- a/NEWS
>> +++ b/NEWS
>> @@ -18,6 +18,16 @@ Major new features:
>>  * The GNU C Library now loads audit modules listed in the DT_AUDIT and
>>    DT_DEPAUDIT dynamic section entries of the main executable.
>>  
>> +* Support for automatically registering threads with the Linux rseq(2)
>> +  system call has been added.  This system call is implemented starting
>> +  from Linux 4.18.  The Restartable Sequences ABI accelerates user-space
>> +  operations on per-cpu data.  It allows user-space to perform updates
>> +  on per-cpu data without requiring heavy-weight atomic operations.
>> +  Automatically registering threads allows all libraries, including libc,
>> +  to make immediate use of the rseq(2) support by using the documented ABI.
>> +  The GNU C Library manual has details on integration of Restartable
>> +  Sequences.
> 
> GNU style doesn't use (2) here, I think.

OK

> 
>> diff --git a/manual/threads.texi b/manual/threads.texi
>> index 0858ef8f92..4754cdaeb5 100644
>> --- a/manual/threads.texi
>> +++ b/manual/threads.texi
> 
>> @@ -881,3 +883,27 @@ Behaves like @code{pthread_timedjoin_np} except that the
>> absolute time in
>>  @c pthread_spin_unlock
>>  @c pthread_testcancel
>>  @c pthread_yield
>> +
>> +@node Restartable Sequences
>> +@section Restartable Sequences
>> +@cindex rseq
> 
> Suggest: @cindex Restartable Sequences

OK

> 
>> +
>> +This section describes @theglibc{} Restartable Sequences integration.
> 
> Suggest: This section describes Restartable Sequences integration for
> @theglibc{}.  (Avoids an excessively long noun phrase.)

OK

> 
> Maybe mention which uses of the rseq syscall are permitted behind the
> back of glibc?  And that code should not leave dangling rseq cs pointers
> behind (the dlopen interaction)?

Here is the entire updated section, let me know if I missed anything:

@deftypevar {struct rseq} __rseq_abi
@standards{Linux, sys/rseq.h}
@Theglibc{} implements a @code{__rseq_abi} TLS symbol to interact with the
Restartable Sequences system call (Linux-specific).  The layout of this
structure is defined by the @file{sys/rseq.h} header.  Registration of each
thread's @code{__rseq_abi} is performed by @theglibc{} at libc library
initialization and thread creation.

The main executable and shared libraries may either have an undefined
@code{__rseq_abi} TLS symbol, or define their own, with the same
declaration as the one present in @file{sys/rseq.h}.  The dynamic linker
will ensure that only one of those available symbols will be used at
runtime across the process.

If the main executable or shared libraries observe an uninitialized
@code{__rseq_abi.cpu_id} field (value @code{RSEQ_CPU_ID_UNINITIALIZED}), they
may perform rseq registration to the kernel: this means either glibc was
prevented from doing the registration, or an older glibc version, which does
not include rseq support, is in use.  When the main executable or a library
thus takes ownership of the registration, the memory used to hold the
@code{__rseq_abi} TLS variable must stay allocated, and is not re-used, until
the very end of the thread lifetime or until an explicit rseq unregistration
for that thread is performed.  It is not recommended to dlclose() libraries
owning the @code{__rseq_abi} TLS variable.

Users of the @code{__rseq_abi} TLS symbol can store the address of a
@code{struct rseq_cs} to the @code{__rseq_abi.rseq_cs.uptr.ptr} TLS variable,
thus informing the kernel that it enters a Restartable Sequence critical
section.  This pointer and the code areas it itself points to must not be left
pointing to memory areas which are freed or re-used.  Several approaches can
guarantee this.  If the application or library can guarantee that the memory
used to hold the @code{struct rseq_cs} and the code areas it refers to are
never freed or re-used, no special action must be taken.  Else, before that
memory is re-used of freed, the application is responsible for setting the
@code{__rseq_abi.rseq_cs.uptr.ptr} TLS variable to @code{NULL} in each thread's
TLS to guarantee that it does not leak dangling references.  Because the
application does not typically have knowledge of libraries' use of Restartable
Sequences, it is recommended that libraries using Restartable Sequences which
may end up freeing or re-using their memory set the
@code{__rseq_abi.rseq_cs.uptr.ptr} TLS variable to @code{NULL} before returning
from library functions which use Restartable Sequences.

> 
>> +@deftypevar {struct rseq} __rseq_abi
>> +@standards{Linux, sys/rseq.h}
>> +@Theglibc{} implements a @code{__rseq_abi} TLS symbol to interact with the
>> +Restartable Sequences system call (Linux-specific).  The layout of this
>> +structure is defined by the Linux kernel @file{linux/rseq.h} UAPI.
> 
> The linux/rseq.h reference seems redundant, given that sys/rseq.h covers
> it as well.

OK

> 
>> +Registration of each thread's @code{__rseq_abi} is performed by
>> +@theglibc{} at libc initialization and pthread creation.
> 
> Suggest: library initialization and thread creation

OK

> 
>> +@end deftypevar
>> +
>> +@deftypevr Macro int RSEQ_SIG
>> +@standards{Linux, sys/rseq.h}
>> +Each supported architecture provide a @code{RSEQ_SIG} macro in
> 
> Typo: provides

OK

> 
>> +@file{sys/rseq.h} which contains a signature.  That signature is expected to be
>> +present in the code before each Restartable Sequences abort handler.  Failure
>> +to provide the expected signature may terminate the process with a Segmentation
>> +fault.
> 
> Suggest: segmentation fault (no capitalization)

OK

> 
>> diff --git a/misc/rseq-internal.h b/misc/rseq-internal.h
>> new file mode 100644
>> index 0000000000..16f197397f
>> --- /dev/null
>> +++ b/misc/rseq-internal.h
> 
> Maybe this should go in to sysdeps/generic instead of misc?
> (See the recent discussion about elf_machine_sym_no_match.)

OK

> 
>> diff --git a/sysdeps/unix/sysv/linux/rseq-internal.h
>> b/sysdeps/unix/sysv/linux/rseq-internal.h
>> new file mode 100644
>> index 0000000000..3ecd4d0611
>> --- /dev/null
>> +++ b/sysdeps/unix/sysv/linux/rseq-internal.h
>> @@ -0,0 +1,47 @@
>> +/* Restartable Sequences internal API.  Linux implementation.
>> +   Copyright (C) 2020 Free Software Foundation, Inc.
>> +
>> +   The GNU C Library is free software; you can redistribute it and/or
>> +   modify it under the terms of the GNU Lesser General Public
>> +   License as published by the Free Software Foundation; either
>> +   version 2.1 of the License, or (at your option) any later version.
>> +
>> +   The GNU C Library is distributed in the hope that it will be useful,
>> +   but WITHOUT ANY WARRANTY; without even the implied warranty of
>> +   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
>> +   Lesser General Public License for more details.
>> +
>> +   You should have received a copy of the GNU Lesser General Public
>> +   License along with the GNU C Library; if not, see
>> +   <https://www.gnu.org/licenses/>.  */
>> +
>> +#ifndef RSEQ_INTERNAL_H
>> +#define RSEQ_INTERNAL_H
>> +
>> +#include <sysdep.h>
>> +#include <errno.h>
>> +#include <kernel-features.h>
>> +#include <sys/rseq.h>
>> +
>> +#ifdef RSEQ_SIG
>> +static inline void
>> +rseq_register_current_thread (void)
>> +{
>> +  int ret;
>> +
>> +  if (__rseq_abi.cpu_id == RSEQ_CPU_ID_REGISTRATION_FAILED)
>> +    return;
>> +  ret = INTERNAL_SYSCALL_CALL (rseq, &__rseq_abi, sizeof (struct rseq),
>> +                              0, RSEQ_SIG);
>> +  if (INTERNAL_SYSCALL_ERROR_P (ret) &&
>> +      INTERNAL_SYSCALL_ERRNO (ret) != EBUSY)
>> +    __rseq_abi.cpu_id = RSEQ_CPU_ID_REGISTRATION_FAILED;
> 
> Sorry, I forgot: Please add a comment that the EBUSY error is ignored
> because registration may have already happened in a legacy library.

Considering that we now disable signals across thread creation, and that
glibc's initialization happens before other libraries' constructors
(as far as I remember even before LD_PRELOADed library constructors),
in which scenario can we expect to have EBUSY here ?

Not setting __rseq_abi.cpu_id to RSEQ_CPU_ID_REGISTRATION_FAILED in case
of EBUSY is more a way to handle "unforeseen" scenarios where somehow the
registration would already be done. But I cannot find an "expected"
scenario which would lead to this now.

So if EBUSY really is unexpected, how should we treat that ? I don't think
setting REGISTRATION_FAILED would be appropriate, because then it would
break assumption of the prior successful registration that have already
been done by this thread.

> 
>> diff --git a/sysdeps/unix/sysv/linux/sys/rseq.h
>> b/sysdeps/unix/sysv/linux/sys/rseq.h
>> new file mode 100644
>> index 0000000000..de6600ff45
>> --- /dev/null
>> +++ b/sysdeps/unix/sysv/linux/sys/rseq.h
> 
>> +#ifdef __GLIBC_HAVE_KERNEL_RSEQ
>> +/* We use the structures declarations from the kernel headers.  */
>> +# include <linux/rseq.h>
>> +#else
>> +/* We use a copy of the include/uapi/linux/rseq.h kernel header.  */
>> +
>> +#include <asm/byteorder.h>
> 
> Missing “# include“ indentation.

OK

> 
>> +#ifdef __LP64__
> 
> Likewise (more indentation needed below, include double-space
> indentation).

OK

> 
>> +/* Allocations of struct rseq and struct rseq_cs on the heap need to
>> +   be aligned on 32 bytes.  Therefore, use of malloc is discouraged
>> +   because it does not guarantee alignment.  posix_memalign should be
>> +   used instead.  */
>> +
>> +extern __thread struct rseq __rseq_abi
>> +__attribute__ ((tls_model ("initial-exec")));
> 
> Please indent the __attribute__ with two spaces.

OK

> 
> Actual code looks good now.  Thanks.  I don't think there are any
> remaining issues except maybe more documentation.

I raised a few questions in my reply to yours, so I'll wait for your
input on those topics before the next iteration.

Thanks,

Mathieu

* Mathieu Desnoyers:

> @deftypevar {struct rseq} __rseq_abi
> @standards{Linux, sys/rseq.h}
> @Theglibc{} implements a @code{__rseq_abi} TLS symbol to interact with the
> Restartable Sequences system call (Linux-specific).  The layout of this
> structure is defined by the @file{sys/rseq.h} header.  Registration of each
> thread's @code{__rseq_abi} is performed by @theglibc{} at libc library
> initialization and thread creation.

s/libc library/library/

> The main executable and shared libraries may either have an undefined
> @code{__rseq_abi} TLS symbol, or define their own, with the same
> declaration as the one present in @file{sys/rseq.h}.  The dynamic linker
> will ensure that only one of those available symbols will be used at
> runtime across the process.
>
> If the main executable or shared libraries observe an uninitialized
> @code{__rseq_abi.cpu_id} field (value @code{RSEQ_CPU_ID_UNINITIALIZED}), they
> may perform rseq registration to the kernel: this means either glibc was
> prevented from doing the registration, or an older glibc version, which does
> not include rseq support, is in use.  When the main executable or a library
> thus takes ownership of the registration, the memory used to hold the
> @code{__rseq_abi} TLS variable must stay allocated, and is not re-used, until
> the very end of the thread lifetime or until an explicit rseq unregistration
> for that thread is performed.  It is not recommended to dlclose() libraries
> owning the @code{__rseq_abi} TLS variable.

s/dlclose()/@code{dlclose}/ (no parentheses)

Rest looks okay.

>>> +  if (__rseq_abi.cpu_id == RSEQ_CPU_ID_REGISTRATION_FAILED)
>>> +    return;
>>> +  ret = INTERNAL_SYSCALL_CALL (rseq, &__rseq_abi, sizeof (struct rseq),
>>> +                              0, RSEQ_SIG);
>>> +  if (INTERNAL_SYSCALL_ERROR_P (ret) &&
>>> +      INTERNAL_SYSCALL_ERRNO (ret) != EBUSY)
>>> +    __rseq_abi.cpu_id = RSEQ_CPU_ID_REGISTRATION_FAILED;
>> 
>> Sorry, I forgot: Please add a comment that the EBUSY error is ignored
>> because registration may have already happened in a legacy library.
>
> Considering that we now disable signals across thread creation, and that
> glibc's initialization happens before other libraries' constructors
> (as far as I remember even before LD_PRELOADed library constructors),
> in which scenario can we expect to have EBUSY here ?

That's a good point.

> Not setting __rseq_abi.cpu_id to RSEQ_CPU_ID_REGISTRATION_FAILED in case
> of EBUSY is more a way to handle "unforeseen" scenarios where somehow the
> registration would already be done. But I cannot find an "expected"
> scenario which would lead to this now.
>
> So if EBUSY really is unexpected, how should we treat that ? I don't think
> setting REGISTRATION_FAILED would be appropriate, because then it would
> break assumption of the prior successful registration that have already
> been done by this thread.

You could call __libc_fatal with an error message.  ENOSYS is definitely
an expected error code here, and EPERM (and perhaps EACCES) can happen
with seccomp filters.

Thanks,
Florian

----- On Apr 30, 2020, at 12:36 PM, Florian Weimer fweimer@redhat.com wrote:

> * Mathieu Desnoyers:
> 
[...]
> 
>>>> +  if (__rseq_abi.cpu_id == RSEQ_CPU_ID_REGISTRATION_FAILED)
>>>> +    return;
>>>> +  ret = INTERNAL_SYSCALL_CALL (rseq, &__rseq_abi, sizeof (struct rseq),
>>>> +                              0, RSEQ_SIG);
>>>> +  if (INTERNAL_SYSCALL_ERROR_P (ret) &&
>>>> +      INTERNAL_SYSCALL_ERRNO (ret) != EBUSY)
>>>> +    __rseq_abi.cpu_id = RSEQ_CPU_ID_REGISTRATION_FAILED;
>>> 
>>> Sorry, I forgot: Please add a comment that the EBUSY error is ignored
>>> because registration may have already happened in a legacy library.
>>
>> Considering that we now disable signals across thread creation, and that
>> glibc's initialization happens before other libraries' constructors
>> (as far as I remember even before LD_PRELOADed library constructors),
>> in which scenario can we expect to have EBUSY here ?
> 
> That's a good point.
> 
>> Not setting __rseq_abi.cpu_id to RSEQ_CPU_ID_REGISTRATION_FAILED in case
>> of EBUSY is more a way to handle "unforeseen" scenarios where somehow the
>> registration would already be done. But I cannot find an "expected"
>> scenario which would lead to this now.
>>
>> So if EBUSY really is unexpected, how should we treat that ? I don't think
>> setting REGISTRATION_FAILED would be appropriate, because then it would
>> break assumption of the prior successful registration that have already
>> been done by this thread.
> 
> You could call __libc_fatal with an error message.  ENOSYS is definitely
> an expected error code here, and EPERM (and perhaps EACCES) can happen
> with seccomp filters.

If we go this way, I'd also recommend to treat any situation where
__rseq_abi.cpu_id is already initialized as a fatal error. Does the
code below seem OK to you ?

static inline void
rseq_register_current_thread (void)
{
  int ret;

  if (__rseq_abi.cpu_id != RSEQ_CPU_ID_UNINITIALIZED)
    __libc_fatal ("rseq already initialized for this thread\n");
  ret = INTERNAL_SYSCALL_CALL (rseq, &__rseq_abi, sizeof (struct rseq),
                              0, RSEQ_SIG);
  if (INTERNAL_SYSCALL_ERROR_P (ret))
    {
      if (INTERNAL_SYSCALL_ERRNO (ret) == EBUSY)
        __libc_fatal ("rseq already registered for this thread\n");
      __rseq_abi.cpu_id = RSEQ_CPU_ID_REGISTRATION_FAILED;
    }
}

Thanks,

Mathieu

* Mathieu Desnoyers:

> If we go this way, I'd also recommend to treat any situation where
> __rseq_abi.cpu_id is already initialized as a fatal error. Does the
> code below seem OK to you ?
>
> static inline void
> rseq_register_current_thread (void)
> {
>   int ret;
>
>   if (__rseq_abi.cpu_id != RSEQ_CPU_ID_UNINITIALIZED)
>     __libc_fatal ("rseq already initialized for this thread\n");

Agreed; this should work because this code runs after relocation
processing.

>   ret = INTERNAL_SYSCALL_CALL (rseq, &__rseq_abi, sizeof (struct rseq),
>                               0, RSEQ_SIG);
>   if (INTERNAL_SYSCALL_ERROR_P (ret))
>     {
>       if (INTERNAL_SYSCALL_ERRNO (ret) == EBUSY)
>         __libc_fatal ("rseq already registered for this thread\n");
>       __rseq_abi.cpu_id = RSEQ_CPU_ID_REGISTRATION_FAILED;
>     }
> }

__libc_fatal does not attribute the error to glibc, so I suggest to
start the error messages with “glibc fatal error: ”, so that people know
where to look.

Thanks,
Florian

----- On Apr 30, 2020, at 1:07 PM, Florian Weimer fweimer@redhat.com wrote:
[...]
> __libc_fatal does not attribute the error to glibc, so I suggest to
> start the error messages with “glibc fatal error: ”, so that people know
> where to look.

OK. Is there a strict requirement on limiting to 80 columns for code
including an error message string in glibc ? IOW:

  if (__rseq_abi.cpu_id != RSEQ_CPU_ID_UNINITIALIZED)
    __libc_fatal ("glibc fatal error: rseq already initialized for this thread\n");

or

  if (__rseq_abi.cpu_id != RSEQ_CPU_ID_UNINITIALIZED)
    __libc_fatal ("glibc fatal error: "
                  "rseq already initialized for this thread\n");

?

Thanks,

Mathieu

* Mathieu Desnoyers:

> ----- On Apr 30, 2020, at 1:07 PM, Florian Weimer fweimer@redhat.com wrote:
> [...]
>> __libc_fatal does not attribute the error to glibc, so I suggest to
>> start the error messages with “glibc fatal error: ”, so that people know
>> where to look.
>
> OK. Is there a strict requirement on limiting to 80 columns for code
> including an error message string in glibc ? IOW:
>
>   if (__rseq_abi.cpu_id != RSEQ_CPU_ID_UNINITIALIZED)
>     __libc_fatal ("glibc fatal error: rseq already initialized for this thread\n");
>
> or
>
>   if (__rseq_abi.cpu_id != RSEQ_CPU_ID_UNINITIALIZED)
>     __libc_fatal ("glibc fatal error: "
>                   "rseq already initialized for this thread\n");
>
> ?

The latter, please.  Some code also uses

  if (__rseq_abi.cpu_id != RSEQ_CPU_ID_UNINITIALIZED)
     __libc_fatal ("\
glibc fatal error: rseq already initialized for this thread\n");

But that's not really my preference.

(Trimmed the Cc: list a bit, we are really down to glibc specifics at
this point.)

Thanks,
Florian

----- On Apr 30, 2020, at 1:46 PM, Florian Weimer fweimer@redhat.com wrote:

> * Mathieu Desnoyers:
> 
>> ----- On Apr 30, 2020, at 1:07 PM, Florian Weimer fweimer@redhat.com wrote:
>> [...]
>>> __libc_fatal does not attribute the error to glibc, so I suggest to
>>> start the error messages with “glibc fatal error: ”, so that people know
>>> where to look.
>>
>> OK. Is there a strict requirement on limiting to 80 columns for code
>> including an error message string in glibc ? IOW:
>>
>>   if (__rseq_abi.cpu_id != RSEQ_CPU_ID_UNINITIALIZED)
>>     __libc_fatal ("glibc fatal error: rseq already initialized for this thread\n");
>>
>> or
>>
>>   if (__rseq_abi.cpu_id != RSEQ_CPU_ID_UNINITIALIZED)
>>     __libc_fatal ("glibc fatal error: "
>>                   "rseq already initialized for this thread\n");
>>
>> ?
> 
> The latter, please.  Some code also uses
> 
>  if (__rseq_abi.cpu_id != RSEQ_CPU_ID_UNINITIALIZED)
>     __libc_fatal ("\
> glibc fatal error: rseq already initialized for this thread\n");
> 
> But that's not really my preference.
> 
> (Trimmed the Cc: list a bit, we are really down to glibc specifics at
> this point.)

One last question with respect to handling of rseq errno values. We currently
have (based on my own rseq(2) man page, not upstream yet):

ERRORS
       EINVAL Either flags contains an invalid value, or rseq contains an address which is not appropriately  aligned,
              or rseq_len contains a size that does not match the size received on registration.

       ENOSYS The rseq() system call is not implemented by this kernel.

       EFAULT rseq is an invalid address.

       EBUSY  Restartable sequence is already registered for this thread.

       EPERM  The sig argument on unregistration does not match the signature received on registration.

So with the current suggestions, we basically treat "EBUSY" as a __libc_fatal (),
which is fine, and all other errno values (EINVAL, ENOSYS, EFAULT, EPERM) as
conditions which will just disable rseq for the thread by marking cpu_id as
RSEQ_CPU_ID_REGISTRATION_FAILED.

I'm hesitant to treat "EINVAL", and "EFAULT" in this way, as those errno should IMHO
really abort libc as well with an appropriate __libc_fatal () message, because something
is clearly going wrong and we don't want to hide it under the carpet by just
disabling rseq support silently.

Also, I personally consider that adding an additional errno value
to an existing system call for a given set of supported system call
parameters is an ABI breakage, but I _know_ the Linux kernel community
as a whole does not feel that way, and they are known to have pretty much
silently added additional errno values to existing system calls as long
as nobody complains.

Considering this, I wonder if we should be strict and e.g. do:

const char *msg = NULL;

switch (INTERNAL_SYSCALL_ERRNO (ret))
  {
  case ENOSYS:
  case EPERM:
    /* rseq system call is unavailable or not permitted.  */
    __rseq_abi.cpu_id = RSEQ_CPU_ID_REGISTRATION_FAILED;
    break;
  case EINVAL:
    msg = "glibc fatal error: rseq already registered for this thread\n";
    break;
  case EBUSY:
    msg = "glibc fatal error: rseq parameters are invalid";
  case EFAULT:
    msg = "glibc fatal error: rseq is an invalid address";
    break;
  default:
    msg = "glibc fatal error: unexpected rseq errno";
    break;
  }
if (msg)
  __libc_fatal (msg);

Also considering that __libc_fatal only takes a string as parameter,
I wonder if there is a facility to print the errno string I could use
instead of __libc_fatal () ?

Thanks,

Mathieu

----- On Apr 30, 2020, at 3:39 PM, Mathieu Desnoyers mathieu.desnoyers@efficios.com wrote:

> ----- On Apr 30, 2020, at 1:46 PM, Florian Weimer fweimer@redhat.com wrote:
> 
>> * Mathieu Desnoyers:
>> 
>>> ----- On Apr 30, 2020, at 1:07 PM, Florian Weimer fweimer@redhat.com wrote:
>>> [...]
>>>> __libc_fatal does not attribute the error to glibc, so I suggest to
>>>> start the error messages with “glibc fatal error: ”, so that people know
>>>> where to look.
>>>
>>> OK. Is there a strict requirement on limiting to 80 columns for code
>>> including an error message string in glibc ? IOW:
>>>
>>>   if (__rseq_abi.cpu_id != RSEQ_CPU_ID_UNINITIALIZED)
>>>     __libc_fatal ("glibc fatal error: rseq already initialized for this thread\n");
>>>
>>> or
>>>
>>>   if (__rseq_abi.cpu_id != RSEQ_CPU_ID_UNINITIALIZED)
>>>     __libc_fatal ("glibc fatal error: "
>>>                   "rseq already initialized for this thread\n");
>>>
>>> ?
>> 
>> The latter, please.  Some code also uses
>> 
>>  if (__rseq_abi.cpu_id != RSEQ_CPU_ID_UNINITIALIZED)
>>     __libc_fatal ("\
>> glibc fatal error: rseq already initialized for this thread\n");
>> 
>> But that's not really my preference.
>> 
>> (Trimmed the Cc: list a bit, we are really down to glibc specifics at
>> this point.)
> 
> One last question with respect to handling of rseq errno values. We currently
> have (based on my own rseq(2) man page, not upstream yet):
> 
> ERRORS
>       EINVAL Either flags contains an invalid value, or rseq contains an address which
>       is not appropriately  aligned,
>              or rseq_len contains a size that does not match the size received on
>              registration.
> 
>       ENOSYS The rseq() system call is not implemented by this kernel.
> 
>       EFAULT rseq is an invalid address.
> 
>       EBUSY  Restartable sequence is already registered for this thread.
> 
>       EPERM  The sig argument on unregistration does not match the signature received
>       on registration.
> 
> So with the current suggestions, we basically treat "EBUSY" as a __libc_fatal
> (),
> which is fine, and all other errno values (EINVAL, ENOSYS, EFAULT, EPERM) as
> conditions which will just disable rseq for the thread by marking cpu_id as
> RSEQ_CPU_ID_REGISTRATION_FAILED.
> 
> I'm hesitant to treat "EINVAL", and "EFAULT" in this way, as those errno should
> IMHO
> really abort libc as well with an appropriate __libc_fatal () message, because
> something
> is clearly going wrong and we don't want to hide it under the carpet by just
> disabling rseq support silently.
> 
> Also, I personally consider that adding an additional errno value
> to an existing system call for a given set of supported system call
> parameters is an ABI breakage, but I _know_ the Linux kernel community
> as a whole does not feel that way, and they are known to have pretty much
> silently added additional errno values to existing system calls as long
> as nobody complains.
> 
> Considering this, I wonder if we should be strict and e.g. do:
> 
> const char *msg = NULL;
> 
> switch (INTERNAL_SYSCALL_ERRNO (ret))
>  {
>  case ENOSYS:
>  case EPERM:
>    /* rseq system call is unavailable or not permitted.  */
>    __rseq_abi.cpu_id = RSEQ_CPU_ID_REGISTRATION_FAILED;
>    break;
>  case EINVAL:
>    msg = "glibc fatal error: rseq already registered for this thread\n";
>    break;
>  case EBUSY:
>    msg = "glibc fatal error: rseq parameters are invalid";
>  case EFAULT:
>    msg = "glibc fatal error: rseq is an invalid address";
>    break;
>  default:
>    msg = "glibc fatal error: unexpected rseq errno";
>    break;
>  }
> if (msg)
>  __libc_fatal (msg);
> 
> Also considering that __libc_fatal only takes a string as parameter,
> I wonder if there is a facility to print the errno string I could use
> instead of __libc_fatal () ?

I also suspect we'd want to handle "EACCES" in a non-fatal way in case
it is returned by seccomp. The seccomp internals seems to allow a lot of
freedom in letting the seccomp filters choose the errno number.

Thanks,

Mathieu

> 
> Thanks,
> 
> Mathieu
> 
> --
> Mathieu Desnoyers
> EfficiOS Inc.
> http://www.efficios.com

----- On Apr 30, 2020, at 3:53 PM, Mathieu Desnoyers mathieu.desnoyers@efficios.com wrote:

> ----- On Apr 30, 2020, at 3:39 PM, Mathieu Desnoyers
> mathieu.desnoyers@efficios.com wrote:
> 
>> ----- On Apr 30, 2020, at 1:46 PM, Florian Weimer fweimer@redhat.com wrote:
>> 
>>> * Mathieu Desnoyers:
>>> 
>>>> ----- On Apr 30, 2020, at 1:07 PM, Florian Weimer fweimer@redhat.com wrote:
>>>> [...]
>>>>> __libc_fatal does not attribute the error to glibc, so I suggest to
>>>>> start the error messages with “glibc fatal error: ”, so that people know
>>>>> where to look.
>>>>
>>>> OK. Is there a strict requirement on limiting to 80 columns for code
>>>> including an error message string in glibc ? IOW:
>>>>
>>>>   if (__rseq_abi.cpu_id != RSEQ_CPU_ID_UNINITIALIZED)
>>>>     __libc_fatal ("glibc fatal error: rseq already initialized for this thread\n");
>>>>
>>>> or
>>>>
>>>>   if (__rseq_abi.cpu_id != RSEQ_CPU_ID_UNINITIALIZED)
>>>>     __libc_fatal ("glibc fatal error: "
>>>>                   "rseq already initialized for this thread\n");
>>>>
>>>> ?
>>> 
>>> The latter, please.  Some code also uses
>>> 
>>>  if (__rseq_abi.cpu_id != RSEQ_CPU_ID_UNINITIALIZED)
>>>     __libc_fatal ("\
>>> glibc fatal error: rseq already initialized for this thread\n");
>>> 
>>> But that's not really my preference.
>>> 
>>> (Trimmed the Cc: list a bit, we are really down to glibc specifics at
>>> this point.)
>> 
>> One last question with respect to handling of rseq errno values. We currently
>> have (based on my own rseq(2) man page, not upstream yet):
>> 
>> ERRORS
>>       EINVAL Either flags contains an invalid value, or rseq contains an address which
>>       is not appropriately  aligned,
>>              or rseq_len contains a size that does not match the size received on
>>              registration.
>> 
>>       ENOSYS The rseq() system call is not implemented by this kernel.
>> 
>>       EFAULT rseq is an invalid address.
>> 
>>       EBUSY  Restartable sequence is already registered for this thread.
>> 
>>       EPERM  The sig argument on unregistration does not match the signature received
>>       on registration.
>> 
>> So with the current suggestions, we basically treat "EBUSY" as a __libc_fatal
>> (),
>> which is fine, and all other errno values (EINVAL, ENOSYS, EFAULT, EPERM) as
>> conditions which will just disable rseq for the thread by marking cpu_id as
>> RSEQ_CPU_ID_REGISTRATION_FAILED.
>> 
>> I'm hesitant to treat "EINVAL", and "EFAULT" in this way, as those errno should
>> IMHO
>> really abort libc as well with an appropriate __libc_fatal () message, because
>> something
>> is clearly going wrong and we don't want to hide it under the carpet by just
>> disabling rseq support silently.
>> 
>> Also, I personally consider that adding an additional errno value
>> to an existing system call for a given set of supported system call
>> parameters is an ABI breakage, but I _know_ the Linux kernel community
>> as a whole does not feel that way, and they are known to have pretty much
>> silently added additional errno values to existing system calls as long
>> as nobody complains.
>> 
>> Considering this, I wonder if we should be strict and e.g. do:
>> 
>> const char *msg = NULL;
>> 
>> switch (INTERNAL_SYSCALL_ERRNO (ret))
>>  {
>>  case ENOSYS:
>>  case EPERM:
>>    /* rseq system call is unavailable or not permitted.  */
>>    __rseq_abi.cpu_id = RSEQ_CPU_ID_REGISTRATION_FAILED;
>>    break;
>>  case EINVAL:
>>    msg = "glibc fatal error: rseq already registered for this thread\n";
>>    break;
>>  case EBUSY:
>>    msg = "glibc fatal error: rseq parameters are invalid";
>>  case EFAULT:
>>    msg = "glibc fatal error: rseq is an invalid address";
>>    break;
>>  default:
>>    msg = "glibc fatal error: unexpected rseq errno";
>>    break;
>>  }
>> if (msg)
>>  __libc_fatal (msg);
>> 
>> Also considering that __libc_fatal only takes a string as parameter,
>> I wonder if there is a facility to print the errno string I could use
>> instead of __libc_fatal () ?
> 
> I also suspect we'd want to handle "EACCES" in a non-fatal way in case
> it is returned by seccomp. The seccomp internals seems to allow a lot of
> freedom in letting the seccomp filters choose the errno number.

I'm actually wondering about "EPERM". Is it sometimes used by seccomp
filters to refuse a system call ? Based on the rseq man page, EPERM
should only be returned by rseq unregistration if the signature does not
match. So I'm tempted to handle EPERM in a fatal way if we can assume
seccomp filters always return EACCES when refusing a system call. Any
input on this would be welcome.

Thanks,

Mathieu

* Mathieu Desnoyers:

> I'm actually wondering about "EPERM". Is it sometimes used by seccomp
> filters to refuse a system call ?

Yes, it's the default for systemd-nspawn.  I have argued against it, but
unsuccessfully.  It breaks all kinds of stuff inside glibc, too.

Thanks,
Florian

* Mathieu Desnoyers:

> Considering this, I wonder if we should be strict and e.g. do:
>
> const char *msg = NULL;
>
> switch (INTERNAL_SYSCALL_ERRNO (ret))
>   {
>   case ENOSYS:
>   case EPERM:
>     /* rseq system call is unavailable or not permitted.  */
>     __rseq_abi.cpu_id = RSEQ_CPU_ID_REGISTRATION_FAILED;
>     break;
>   case EINVAL:
>     msg = "glibc fatal error: rseq already registered for this thread\n";
>     break;
>   case EBUSY:
>     msg = "glibc fatal error: rseq parameters are invalid";
>   case EFAULT:
>     msg = "glibc fatal error: rseq is an invalid address";
>     break;
>   default:
>     msg = "glibc fatal error: unexpected rseq errno";
>     break;
>   }
> if (msg)
>   __libc_fatal (msg);

Not sure if this is necessary.  I think it's the first fatal error with
that kind of verbosity, and it's an odd place to start, all things
considered.

> Also considering that __libc_fatal only takes a string as parameter,
> I wonder if there is a facility to print the errno string I could use
> instead of __libc_fatal () ?

I wouldn't get too creative here given that this failure happens so
early during startup, and initialization is somewhat incomplete.

Thanks,
Florian

----- On Apr 30, 2020, at 4:34 PM, Florian Weimer fweimer@redhat.com wrote:

> * Mathieu Desnoyers:
> 
>> I'm actually wondering about "EPERM". Is it sometimes used by seccomp
>> filters to refuse a system call ?
> 
> Yes, it's the default for systemd-nspawn.  I have argued against it, but
> unsuccessfully.  It breaks all kinds of stuff inside glibc, too.

OK, so how about this errno handling ?

static inline void
rseq_register_current_thread (void)
{
  int ret;

  if (__rseq_abi.cpu_id != RSEQ_CPU_ID_UNINITIALIZED)
    __libc_fatal ("glibc fatal error: "
                  "rseq already initialized for this thread\n");
  ret = INTERNAL_SYSCALL_CALL (rseq, &__rseq_abi, sizeof (struct rseq),
                              0, RSEQ_SIG);
  if (INTERNAL_SYSCALL_ERROR_P (ret))
    {
      const char *msg = NULL;

      switch (INTERNAL_SYSCALL_ERRNO (ret))
        {
        case ENOSYS:    /* rseq system call not implemented.  */
        case EPERM:     /* rseq system call filtered by seccomp.  */
        case EACCES:    /* rseq system call filtered by seccomp.  */
          __rseq_abi.cpu_id = RSEQ_CPU_ID_REGISTRATION_FAILED;
          break;
        case EINVAL:
          msg = "glibc fatal error: rseq already registered for this thread\n";
          break;
        case EBUSY:
          msg = "glibc fatal error: rseq parameters are invalid\n";
          break;
        case EFAULT:
          msg = "glibc fatal error: rseq is an invalid address\n";
          break;
        default:
          msg = "glibc fatal error: unexpected rseq errno\n";
          break;
        }
      if (msg)
        __libc_fatal (msg);
    }
}

Thanks,

Mathieu

----- On Apr 30, 2020, at 4:37 PM, Florian Weimer fweimer@redhat.com wrote:

> * Mathieu Desnoyers:
> 
>> Considering this, I wonder if we should be strict and e.g. do:
>>
>> const char *msg = NULL;
>>
>> switch (INTERNAL_SYSCALL_ERRNO (ret))
>>   {
>>   case ENOSYS:
>>   case EPERM:
>>     /* rseq system call is unavailable or not permitted.  */
>>     __rseq_abi.cpu_id = RSEQ_CPU_ID_REGISTRATION_FAILED;
>>     break;
>>   case EINVAL:
>>     msg = "glibc fatal error: rseq already registered for this thread\n";
>>     break;
>>   case EBUSY:
>>     msg = "glibc fatal error: rseq parameters are invalid";
>>   case EFAULT:
>>     msg = "glibc fatal error: rseq is an invalid address";
>>     break;
>>   default:
>>     msg = "glibc fatal error: unexpected rseq errno";
>>     break;
>>   }
>> if (msg)
>>   __libc_fatal (msg);
> 
> Not sure if this is necessary.  I think it's the first fatal error with
> that kind of verbosity, and it's an odd place to start, all things
> considered.

Well rigor in error reporting has to start somewhere, doesn't it ? ;)

> 
>> Also considering that __libc_fatal only takes a string as parameter,
>> I wonder if there is a facility to print the errno string I could use
>> instead of __libc_fatal () ?
> 
> I wouldn't get too creative here given that this failure happens so
> early during startup, and initialization is somewhat incomplete.

OK, will leave the default case as "glibc fatal error: unexpected rseq errno"
for now.

Thanks,

Mathieu

> 
> Thanks,
> Florian